Date: 09/19/2024
Severity: High
Summary
Identifies the initial execution of FakeUpdates/SocGholish malware through wscript, which subsequently runs commands using cmd or PowerShell.
Indicators of Compromise (IOC) List
ParentImage | '\wscript.exe' |
ParentCommandLine | '\AppData\Local\Temp' '.zip' '.zip' 'update' '.js' 'Chrome' 'Edge' 'Firefox' 'Opera' 'Brave' 'Vivaldi' |
Image | '\cmd.exe' '\powershell.exe' '\pwsh.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4688" ) AND message In ("\AppData\Local\Temp",".zip","update",".js","Chrome","Edge","Firefox","Opera","Brave","Vivaldi") AND processname In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 2 | technologygroup = "EDR" AND message In ("\AppData\Local\Temp",".zip","update",".js","Chrome","Edge","Firefox","Opera","Brave","Vivaldi") AND processname In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 3 | (resourcename = "Sysmon" AND eventtype = "1" ) AND parentimage = "\wscript.exe" AND parentcommandline IN ("\AppData\Local\Temp",".zip","update",".js","Chrome","Edge","Firefox","Opera","Brave","Vivaldi") AND image In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 4 | technologygroup = "EDR" AND parentimage = "\wscript.exe" AND parentcommandline IN ("\AppData\Local\Temp",".zip","update",".js","Chrome","Edge","Firefox","Opera","Brave","Vivaldi") AND image In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml